What is EPSS?

The Exploit Prediction Scoring System estimates how likely a vulnerability is to be exploited in the wild — and it changes everything about how you prioritize patching.

The Problem with CVSS Alone

CVSS (Common Vulnerability Scoring System) tells you how bad a vulnerability could be if exploited. But it doesn't tell you how likely it is to be exploited.

In practice, this creates a prioritization nightmare. A typical organization has hundreds or thousands of CRITICAL/HIGH CVEs in their dependency tree. CVSS says they're all equally urgent. But only a tiny fraction will ever be exploited in the real world.

According to research by FIRST.org (the maintainers of EPSS), only about 5% of all published CVEs are ever exploited. Teams that patch by CVSS score alone waste enormous effort on vulnerabilities that will never be weaponized.

How EPSS Works

EPSS is a machine learning model maintained by FIRST.org that predicts the probability of a CVE being exploited in the next 30 days. It uses:

  • CVE age and metadata — when it was published, what type of vulnerability it is
  • Exploit code availability — whether proof-of-concept or weaponized exploits exist
  • Social media and threat intel signals — mentions, activity, chatter
  • Historical exploitation patterns — what types of CVEs have been exploited before

The output is a score from 0 to 1 (often shown as a percentage) and a percentile ranking. A CVE with an EPSS score of 0.95 has a 95% probability of being exploited in the next 30 days.

EPSS vs CVSS: A Real Example

CVE-2021-44228 (Log4Shell)

CVSS:10.0 CRITICAL
EPSS:97.6%
CISA KEV:Yes

Both CVSS and EPSS agree: patch immediately.

A typical CRITICAL CVE

CVSS:9.8 CRITICAL
EPSS:0.04%
CISA KEV:No

CVSS says critical. EPSS says: almost zero real-world risk.

Without EPSS, both of these CVEs trigger the same alert. With EPSS, you know which one to drop everything for and which one can wait for the next sprint.

EPSS Scores in PatchPulse

Every PatchPulse API response includes the EPSS score and percentile for the CVE. You can also query EPSS history to track how a vulnerability's exploit probability changes over time.

curl https://patchapi.shanecode.org/v1/cve/CVE-2021-44228

// Response includes:
"epss": { "score": 0.97556, "percentile": 0.999, "date": "2026-03-12" }

How to Use EPSS for Prioritization

  1. CISA KEV first — if it's in the KEV catalog, it's actively exploited. Patch now.
  2. EPSS > 10% — high probability of exploitation. Prioritize this sprint.
  3. EPSS 1-10% — moderate risk. Schedule for upcoming maintenance.
  4. EPSS < 1% — low probability. Address in normal dependency updates.

This is what PatchPulse's manifest scan does automatically — it sorts your vulnerabilities by KEV status first, then EPSS score descending, so you always know what to fix first.

Get EPSS Scores via API

Every PatchPulse response includes EPSS exploit probability. Free tier available.

Get Free API Key